Gootloader infection cleaned up
Dear blog owner and visitors,
This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 385 malicious pages. Your blogged served up malware to 19 visitors.
I tried my best to clean up the infection, but I would do the following:
- Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
- Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
- Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
- Verify all users are valid (in case the attackers left a backup account, to get back in)
- Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
- Run antivirus scans on your server
- Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
- Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
- Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
and Wordfence Security, all do some level of detection, but not 100% guaranteed - Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
- Check subdomains, to see if they were infected as well
- Check file permissions
Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.
Sincerly,
The Internet Janitor
Below are some links to research/further explaination on Gootloader:
https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/
https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/
https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware
https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html
Day One
Not really. This site’s a decade old. But, I’ve been putting off its development until roughly now.
Left to develop are content [that seems to be useful stuff on the ’net] and revision of form and function.
About the site’s appearance: I’m plotting toward something similar to its current state, but different; more on that once it’s done, rendering this whole sentence a bit meaningless—there’ll come a day when no evidence will remain that the site had once looked like it’ll no longer have looked once it doesn’t look the way it looks only for now, that being no longer the case by then, which will by then be the present and which won’t include the theme it’ll no longer have…or something.
As for content: that’s more about actual news. On which note, I’ve got a bit: 97D [LK0] is now available for the Kindle, supposing that the only reason you’d ever bought a Kindle was so you could read the novel; if not, it’s available anyway.
The intention—since 97D is a prequel to the rest of the S97S, wrtten after the fact—had been to make the thing available for free; but amazon.com aren’t okay with that. Instead, it’s as close to free as they’ll allow, which is US$0.99; technically, the book’s worth 99¢ or more; it’s just a bit annoying that they’re not letting me make it as free as I’d meant to make it.
As for the rest of the S97S: there’s less news about all that, except that I’m kinda staring at the sourcefiles, trying to talk myself into coding several hundred thousand words into the minimal hypertext the Kindle can handle. I’ll get to it; it just won’t be today.
Meanwhile, now that there’s more here than a hiddenish link to the Encyclopaedia Expurgatia, feel free to look around through that until I get more content added to 97D.com itself….